8.4. Risk Management
A risk management tool used on many programs is the Risk Management Board
(RMB). This board is chartered as the senior program group that
evaluates all program risks and their root causes, unfavorable event
indications, and planned risk mitigations. In concept, it acts similar
to a configuration control board. It is an advisory board to the PM and
provides a forum for all affected parties to discuss their concerns.
RMBs can be structured in a variety of ways, but share the following
- They should be formally chartered by the PM and have a defined area of
responsibility and authority. Note that RMBs may be organized as
program office only, program office with other Government offices (such as
PEO Systems Engineer, User, Defense Contract Management Agency, test
organizations, SMEs), or as combined
government-contractor-subcontractor. The structure should be adapted
to each program office’s needs.
- Working relationships between the board and the program office staff
functional support team should be defined.
- The process flow for the RMB should be defined.
- The frequency of the RMB meetings should be often enough to provide a
thorough and timely understanding of the risk status, but not too frequent
to interfere with the execution of the program plan. Frequency may
depend on the phase of the program; e.g., a development program may require
monthly RMBs, while a production or support program may hold quarterly
- Interfaces with other program office management elements (such as the
various working groups and the configuration control board) should be
On programs with many significant root causes, the RMB provides an
effective vehicle to ensure each root cause is properly and completely
addressed during the program life cycle. It is important to remember
that successful risk tracking is dependent on the emphasis it receives during
the planning process. Further, successful program execution requires the
continual tracking of the effectiveness of the risk mitigation plans.
The program management team can assign the risk management responsibility
to individual IPTs or to a separate risk management team. In addition,
the program office should establish the working structure for risk
identification and risk analysis and appoint experienced Government and
industry personnel as well as outside help from SMEs, as appropriate.